| blob | 46554f9014f9b01c6465e2b2a3b47a4ee2901aa8 |
1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
2 --- a/nss/lib/ssl/ssl3con.c 2013-07-31 12:45:11.497944276 -0700
3 +++ b/nss/lib/ssl/ssl3con.c 2013-07-31 12:51:32.663550380 -0700
4 @@ -55,6 +55,7 @@ static SECStatus ssl3_SendCertificateSta
5 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss);
6 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
7 static SECStatus ssl3_SendNextProto( sslSocket *ss);
8 +static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
9 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags);
10 static SECStatus ssl3_SendServerHello( sslSocket *ss);
11 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
12 @@ -5891,6 +5892,15 @@ ssl3_HandleServerHello(sslSocket *ss, SS
13 }
14 #endif /* NSS_PLATFORM_CLIENT_AUTH */
16 + if (ss->ssl3.channelID != NULL) {
17 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
18 + ss->ssl3.channelID = NULL;
19 + }
20 + if (ss->ssl3.channelIDPub != NULL) {
21 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
22 + ss->ssl3.channelIDPub = NULL;
23 + }
24 +
25 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
26 if (temp < 0) {
27 goto loser; /* alert has been sent */
28 @@ -6170,7 +6180,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS
29 if (rv != SECSuccess) {
30 goto alert_loser; /* err code was set */
31 }
32 - return SECSuccess;
33 + goto winner;
34 } while (0);
36 if (sid_match)
37 @@ -6196,6 +6206,27 @@ ssl3_HandleServerHello(sslSocket *ss, SS
39 ss->ssl3.hs.isResuming = PR_FALSE;
40 ss->ssl3.hs.ws = wait_server_cert;
41 +
42 +winner:
43 + /* If we will need a ChannelID key then we make the callback now. This
44 + * allows the handshake to be restarted cleanly if the callback returns
45 + * SECWouldBlock. */
46 + if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
47 + rv = ss->getChannelID(ss->getChannelIDArg, ss->fd,
48 + &ss->ssl3.channelIDPub, &ss->ssl3.channelID);
49 + if (rv == SECWouldBlock) {
50 + ssl3_SetAlwaysBlock(ss);
51 + return rv;
52 + }
53 + if (rv != SECSuccess ||
54 + ss->ssl3.channelIDPub == NULL ||
55 + ss->ssl3.channelID == NULL) {
56 + PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED);
57 + desc = internal_error;
58 + goto alert_loser;
59 + }
60 + }
61 +
62 return SECSuccess;
64 alert_loser:
65 @@ -6993,6 +7024,10 @@ ssl3_SendClientSecondRound(sslSocket *ss
66 goto loser; /* err code was set. */
67 }
68 }
69 + rv = ssl3_SendEncryptedExtensions(ss);
70 + if (rv != SECSuccess) {
71 + goto loser; /* err code was set. */
72 + }
74 rv = ssl3_SendFinished(ss, 0);
75 if (rv != SECSuccess) {
76 @@ -9947,6 +9982,165 @@ ssl3_RecordKeyLog(sslSocket *ss)
77 return;
78 }
80 +/* called from ssl3_SendClientSecondRound
81 + * ssl3_HandleFinished
82 + */
83 +static SECStatus
84 +ssl3_SendEncryptedExtensions(sslSocket *ss)
85 +{
86 + static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
87 + /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
88 + * SEQUENCE
89 + * SEQUENCE
90 + * OID id-ecPublicKey
91 + * OID prime256v1
92 + * BIT STRING, length 66, 0 trailing bits: 0x04
93 + *
94 + * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62
95 + * public key. Following that are the two field elements as 32-byte,
96 + * big-endian numbers, as required by the Channel ID. */
97 + static const unsigned char P256_SPKI_PREFIX[] = {
98 + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
99 + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
100 + 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
101 + 0x42, 0x00, 0x04
102 + };
103 + /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64
104 + * bytes of ECDSA signature. */
105 + static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64;
106 + static const int CHANNEL_ID_LENGTH = 128;
107 +
108 + SECStatus rv = SECFailure;
109 + SECItem *spki = NULL;
110 + SSL3Hashes hashes;
111 + const unsigned char *pub_bytes;
112 + unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + sizeof(SSL3Hashes)];
113 + unsigned char digest[SHA256_LENGTH];
114 + SECItem digest_item;
115 + unsigned char signature[64];
116 + SECItem signature_item;
117 +
118 + PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
119 + PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
120 +
121 + if (ss->ssl3.channelID == NULL)
122 + return SECSuccess;
123 +
124 + PORT_Assert(ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn));
125 +
126 + if (SECKEY_GetPrivateKeyType(ss->ssl3.channelID) != ecKey ||
127 + PK11_SignatureLen(ss->ssl3.channelID) != sizeof(signature)) {
128 + PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
129 + rv = SECFailure;
130 + goto loser;
131 + }
132 +
133 + ssl_GetSpecReadLock(ss);
134 + rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
135 + ssl_ReleaseSpecReadLock(ss);
136 +
137 + if (rv != SECSuccess)
138 + goto loser;
139 +
140 + rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions,
141 + 2 + 2 + CHANNEL_ID_LENGTH);
142 + if (rv != SECSuccess)
143 + goto loser; /* error code set by AppendHandshakeHeader */
144 + rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
145 + if (rv != SECSuccess)
146 + goto loser; /* error code set by AppendHandshake */
147 + rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2);
148 + if (rv != SECSuccess)
149 + goto loser; /* error code set by AppendHandshake */
150 +
151 + spki = SECKEY_EncodeDERSubjectPublicKeyInfo(ss->ssl3.channelIDPub);
152 +
153 + if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
154 + memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) {
155 + PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
156 + rv = SECFailure;
157 + goto loser;
158 + }
159 +
160 + pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
161 +
162 + memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC));
163 + memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), hashes.u.raw, hashes.len);
164 +
165 + rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data,
166 + sizeof(CHANNEL_ID_MAGIC) + hashes.len);
167 + if (rv != SECSuccess)
168 + goto loser;
169 +
170 + digest_item.data = digest;
171 + digest_item.len = sizeof(digest);
172 +
173 + signature_item.data = signature;
174 + signature_item.len = sizeof(signature);
175 +
176 + rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item);
177 + if (rv != SECSuccess)
178 + goto loser;
179 +
180 + rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH);
181 + if (rv != SECSuccess)
182 + goto loser;
183 + rv = ssl3_AppendHandshake(ss, signature, sizeof(signature));
184 +
185 +loser:
186 + if (spki)
187 + SECITEM_FreeItem(spki, PR_TRUE);
188 + if (ss->ssl3.channelID) {
189 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
190 + ss->ssl3.channelID = NULL;
191 + }
192 + if (ss->ssl3.channelIDPub) {
193 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
194 + ss->ssl3.channelIDPub = NULL;
195 + }
196 +
197 + return rv;
198 +}
199 +
200 +/* ssl3_RestartHandshakeAfterChannelIDReq is called to restart a handshake
201 + * after a ChannelID callback returned SECWouldBlock. At this point we have
202 + * processed the server's ServerHello but not yet any further messages. We will
203 + * always get a message from the server after a ServerHello so either they are
204 + * waiting in the buffer or we'll get network I/O. */
205 +SECStatus
206 +ssl3_RestartHandshakeAfterChannelIDReq(sslSocket *ss,
207 + SECKEYPublicKey *channelIDPub,
208 + SECKEYPrivateKey *channelID)
209 +{
210 + if (ss->handshake == 0) {
211 + SECKEY_DestroyPublicKey(channelIDPub);
212 + SECKEY_DestroyPrivateKey(channelID);
213 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
214 + return SECFailure;
215 + }
216 +
217 + if (channelIDPub == NULL ||
218 + channelID == NULL) {
219 + if (channelIDPub)
220 + SECKEY_DestroyPublicKey(channelIDPub);
221 + if (channelID)
222 + SECKEY_DestroyPrivateKey(channelID);
223 + PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
224 + return SECFailure;
225 + }
226 +
227 + if (ss->ssl3.channelID)
228 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
229 + if (ss->ssl3.channelIDPub)
230 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
231 +
232 + ss->handshake = ssl_GatherRecord1stHandshake;
233 + ss->ssl3.channelID = channelID;
234 + ss->ssl3.channelIDPub = channelIDPub;
235 +
236 + return SECSuccess;
237 +}
238 +
239 /* called from ssl3_HandleServerHelloDone
240 * ssl3_HandleClientHello
241 * ssl3_HandleFinished
242 @@ -10202,11 +10396,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O
243 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
244 }
246 - if (!isServer && !ss->firstHsDone) {
247 - rv = ssl3_SendNextProto(ss);
248 - if (rv != SECSuccess) {
249 - goto xmit_loser; /* err code was set. */
250 + if (!isServer) {
251 + if (!ss->firstHsDone) {
252 + rv = ssl3_SendNextProto(ss);
253 + if (rv != SECSuccess) {
254 + goto xmit_loser; /* err code was set. */
255 + }
256 }
257 + rv = ssl3_SendEncryptedExtensions(ss);
258 + if (rv != SECSuccess)
259 + goto xmit_loser; /* err code was set. */
260 }
262 if (IS_DTLS(ss)) {
263 @@ -11635,6 +11834,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
264 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
265 #endif /* NSS_PLATFORM_CLIENT_AUTH */
267 + if (ss->ssl3.channelID)
268 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
269 + if (ss->ssl3.channelIDPub)
270 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
271 +
272 if (ss->ssl3.peerCertArena != NULL)
273 ssl3_CleanupPeerCerts(ss);
275 diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
276 --- a/nss/lib/ssl/ssl3ext.c 2013-07-31 12:40:14.493586151 -0700
277 +++ b/nss/lib/ssl/ssl3ext.c 2013-07-31 12:45:50.338515793 -0700
278 @@ -60,6 +60,10 @@ static PRInt32 ssl3_SendUseSRTPXtn(sslSo
279 PRUint32 maxBytes);
280 static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type,
281 SECItem *data);
282 +static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss,
283 + PRUint16 ex_type, SECItem *data);
284 +static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append,
285 + PRUint32 maxBytes);
286 static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
287 PRBool append, PRUint32 maxBytes);
288 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss,
289 @@ -248,6 +252,7 @@ static const ssl3HelloExtensionHandler s
290 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
291 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
292 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn },
293 + { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn },
294 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
295 { -1, NULL }
296 };
297 @@ -274,6 +279,7 @@ ssl3HelloExtensionSender clientHelloSend
298 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
299 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
300 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
301 + { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
302 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
303 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
304 /* any extra entries will appear as { 0, NULL } */
305 @@ -660,6 +666,52 @@ ssl3_ClientSendNextProtoNegoXtn(sslSocke
306 }
308 return extension_length;
309 +
310 +loser:
311 + return -1;
312 +}
313 +
314 +static SECStatus
315 +ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type,
316 + SECItem *data)
317 +{
318 + PORT_Assert(ss->getChannelID != NULL);
319 +
320 + if (data->len) {
321 + PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA);
322 + return SECFailure;
323 + }
324 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
325 + return SECSuccess;
326 +}
327 +
328 +static PRInt32
329 +ssl3_ClientSendChannelIDXtn(sslSocket * ss, PRBool append,
330 + PRUint32 maxBytes)
331 +{
332 + PRInt32 extension_length = 4;
333 +
334 + if (!ss->getChannelID)
335 + return 0;
336 +
337 + if (maxBytes < extension_length) {
338 + PORT_Assert(0);
339 + return 0;
340 + }
341 +
342 + if (append) {
343 + SECStatus rv;
344 + rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
345 + if (rv != SECSuccess)
346 + goto loser;
347 + rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
348 + if (rv != SECSuccess)
349 + goto loser;
350 + ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
351 + ssl_channel_id_xtn;
352 + }
353 +
354 + return extension_length;
356 loser:
357 return -1;
358 diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h
359 --- a/nss/lib/ssl/ssl3prot.h 2013-07-31 12:07:10.974699609 -0700
360 +++ b/nss/lib/ssl/ssl3prot.h 2013-07-31 12:45:50.338515793 -0700
361 @@ -129,7 +129,8 @@ typedef enum {
362 client_key_exchange = 16,
363 finished = 20,
364 certificate_status = 22,
365 - next_proto = 67
366 + next_proto = 67,
367 + encrypted_extensions= 203
368 } SSL3HandshakeType;
370 typedef struct {
371 diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c
372 --- a/nss/lib/ssl/sslauth.c 2013-07-31 12:40:14.503586299 -0700
373 +++ b/nss/lib/ssl/sslauth.c 2013-07-31 12:45:50.338515793 -0700
374 @@ -219,6 +219,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
375 return SECSuccess;
376 }
378 +SECStatus
379 +SSL_SetClientChannelIDCallback(PRFileDesc *fd,
380 + SSLClientChannelIDCallback callback,
381 + void *arg) {
382 + sslSocket *ss = ssl_FindSocket(fd);
383 +
384 + if (!ss) {
385 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback",
386 + SSL_GETPID(), fd));
387 + return SECFailure;
388 + }
389 +
390 + ss->getChannelID = callback;
391 + ss->getChannelIDArg = arg;
392 +
393 + return SECSuccess;
394 +}
395 +
396 #ifdef NSS_PLATFORM_CLIENT_AUTH
397 /* NEED LOCKS IN HERE. */
398 SECStatus
399 diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h
400 --- a/nss/lib/ssl/sslerr.h 2013-07-31 12:07:10.974699609 -0700
401 +++ b/nss/lib/ssl/sslerr.h 2013-07-31 12:45:50.338515793 -0700
402 @@ -193,6 +193,10 @@ SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM = (
403 SSL_ERROR_DIGEST_FAILURE = (SSL_ERROR_BASE + 127),
404 SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 128),
406 +SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 129),
407 +SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 130),
408 +SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 131),
409 +
410 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
411 } SSLErrorCodes;
412 #endif /* NO_SECURITY_ERROR_ENUM */
413 diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h
414 --- a/nss/lib/ssl/SSLerrs.h 2013-07-31 12:07:10.964699464 -0700
415 +++ b/nss/lib/ssl/SSLerrs.h 2013-07-31 12:45:50.338515793 -0700
416 @@ -412,3 +412,12 @@ ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR
418 ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128),
419 "Incorrect signature algorithm specified in a digitally-signed element.")
420 +
421 +ER3(SSL_ERROR_BAD_CHANNEL_ID_DATA, (SSL_ERROR_BASE + 129),
422 +"SSL received a malformed TLS Channel ID extension.")
423 +
424 +ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 130),
425 +"The application provided an invalid TLS Channel ID key.")
426 +
427 +ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131),
428 +"The application could not get a TLS Channel ID.")
429 diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
430 --- a/nss/lib/ssl/ssl.h 2013-07-31 12:45:11.497944276 -0700
431 +++ b/nss/lib/ssl/ssl.h 2013-07-31 12:45:50.338515793 -0700
432 @@ -958,6 +958,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegoti
433 SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd,
434 PRBool *last_handshake_resumed);
436 +/* See SSL_SetClientChannelIDCallback for usage. If the callback returns
437 + * SECWouldBlock then SSL_RestartHandshakeAfterChannelIDReq should be called in
438 + * the future to restart the handshake. On SECSuccess, the callback must have
439 + * written a P-256, EC key pair to |*out_public_key| and |*out_private_key|. */
440 +typedef SECStatus (PR_CALLBACK *SSLClientChannelIDCallback)(
441 + void *arg,
442 + PRFileDesc *fd,
443 + SECKEYPublicKey **out_public_key,
444 + SECKEYPrivateKey **out_private_key);
445 +
446 +/* SSL_RestartHandshakeAfterChannelIDReq attempts to restart the handshake
447 + * after a ChannelID callback returned SECWouldBlock.
448 + *
449 + * This function takes ownership of |channelIDPub| and |channelID|. */
450 +SSL_IMPORT SECStatus SSL_RestartHandshakeAfterChannelIDReq(
451 + PRFileDesc *fd,
452 + SECKEYPublicKey *channelIDPub,
453 + SECKEYPrivateKey *channelID);
454 +
455 +/* SSL_SetClientChannelIDCallback sets a callback function that will be called
456 + * once the server's ServerHello has been processed. This is only applicable to
457 + * a client socket and setting this callback causes the TLS Channel ID
458 + * extension to be advertised. */
459 +SSL_IMPORT SECStatus SSL_SetClientChannelIDCallback(
460 + PRFileDesc *fd,
461 + SSLClientChannelIDCallback callback,
462 + void *arg);
463 +
464 /*
465 ** How long should we wait before retransmitting the next flight of
466 ** the DTLS handshake? Returns SECFailure if not DTLS or not in a
467 diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
468 --- a/nss/lib/ssl/sslimpl.h 2013-07-31 12:45:11.497944276 -0700
469 +++ b/nss/lib/ssl/sslimpl.h 2013-07-31 12:45:50.338515793 -0700
470 @@ -921,6 +921,9 @@ struct ssl3StateStr {
471 CERTCertificateList *clientCertChain; /* used by client */
472 PRBool sendEmptyCert; /* used by client */
474 + SECKEYPrivateKey *channelID; /* used by client */
475 + SECKEYPublicKey *channelIDPub; /* used by client */
476 +
477 int policy;
478 /* This says what cipher suites we can do, and should
479 * be either SSL_ALLOWED or SSL_RESTRICTED
480 @@ -1192,6 +1195,8 @@ const unsigned char * preferredCipher;
481 void *pkcs11PinArg;
482 SSLNextProtoCallback nextProtoCallback;
483 void *nextProtoArg;
484 + SSLClientChannelIDCallback getChannelID;
485 + void *getChannelIDArg;
487 PRIntervalTime rTimeout; /* timeout for NSPR I/O */
488 PRIntervalTime wTimeout; /* timeout for NSPR I/O */
489 @@ -1524,6 +1529,11 @@ extern SECStatus ssl3_RestartHandshakeAf
490 SECKEYPrivateKey * key,
491 CERTCertificateList *certChain);
493 +extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq(
494 + sslSocket *ss,
495 + SECKEYPublicKey *channelIDPub,
496 + SECKEYPrivateKey *channelID);
497 +
498 extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error);
500 /*
501 diff -pu a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c
502 --- a/nss/lib/ssl/sslsecur.c 2013-07-31 12:45:11.497944276 -0700
503 +++ b/nss/lib/ssl/sslsecur.c 2013-07-31 12:45:50.338515793 -0700
504 @@ -1502,6 +1502,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileD
505 return ret;
506 }
508 +SECStatus
509 +SSL_RestartHandshakeAfterChannelIDReq(PRFileDesc * fd,
510 + SECKEYPublicKey * channelIDPub,
511 + SECKEYPrivateKey *channelID)
512 +{
513 + sslSocket * ss = ssl_FindSocket(fd);
514 + SECStatus ret;
515 +
516 + if (!ss) {
517 + SSL_DBG(("%d: SSL[%d]: bad socket in"
518 + " SSL_RestartHandshakeAfterChannelIDReq",
519 + SSL_GETPID(), fd));
520 + goto loser;
521 + }
522 +
523 +
524 + ssl_Get1stHandshakeLock(ss);
525 +
526 + if (ss->version < SSL_LIBRARY_VERSION_3_0) {
527 + PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
528 + ssl_Release1stHandshakeLock(ss);
529 + goto loser;
530 + }
531 +
532 + ret = ssl3_RestartHandshakeAfterChannelIDReq(ss, channelIDPub,
533 + channelID);
534 + ssl_Release1stHandshakeLock(ss);
535 +
536 + return ret;
537 +
538 +loser:
539 + SECKEY_DestroyPublicKey(channelIDPub);
540 + SECKEY_DestroyPrivateKey(channelID);
541 + return SECFailure;
542 +}
543 +
544 /* DO NOT USE. This function was exported in ssl.def with the wrong signature;
545 * this implementation exists to maintain link-time compatibility.
546 */
547 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
548 --- a/nss/lib/ssl/sslsock.c 2013-07-31 12:44:32.017363288 -0700
549 +++ b/nss/lib/ssl/sslsock.c 2013-07-31 12:45:50.348515937 -0700
550 @@ -354,6 +354,8 @@ ssl_DupSocket(sslSocket *os)
551 ss->handshakeCallback = os->handshakeCallback;
552 ss->handshakeCallbackData = os->handshakeCallbackData;
553 ss->pkcs11PinArg = os->pkcs11PinArg;
554 + ss->getChannelID = os->getChannelID;
555 + ss->getChannelIDArg = os->getChannelIDArg;
557 /* Create security data */
558 rv = ssl_CopySecurityInfo(ss, os);
559 @@ -1754,6 +1756,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
560 ss->handshakeCallbackData = sm->handshakeCallbackData;
561 if (sm->pkcs11PinArg)
562 ss->pkcs11PinArg = sm->pkcs11PinArg;
563 + if (sm->getChannelID)
564 + ss->getChannelID = sm->getChannelID;
565 + if (sm->getChannelIDArg)
566 + ss->getChannelIDArg = sm->getChannelIDArg;
567 return fd;
568 loser:
569 return NULL;
570 @@ -3027,6 +3033,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
571 ss->badCertArg = NULL;
572 ss->pkcs11PinArg = NULL;
573 ss->ephemeralECDHKeyPair = NULL;
574 + ss->getChannelID = NULL;
575 + ss->getChannelIDArg = NULL;
577 ssl_ChooseOps(ss);
578 ssl2_InitSocketPolicy(ss);
579 diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
580 --- a/nss/lib/ssl/sslt.h 2013-07-31 12:07:10.974699609 -0700
581 +++ b/nss/lib/ssl/sslt.h 2013-07-31 12:45:50.348515937 -0700
582 @@ -184,9 +184,10 @@ typedef enum {
583 ssl_use_srtp_xtn = 14,
584 ssl_session_ticket_xtn = 35,
585 ssl_next_proto_nego_xtn = 13172,
586 + ssl_channel_id_xtn = 30031,
587 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
588 } SSLExtensionType;
590 -#define SSL_MAX_EXTENSIONS 9
591 +#define SSL_MAX_EXTENSIONS 10
593 #endif /* __sslt_h_ */